Sandwich restaurant chain Jimmy John’s recently acknowledged that point-of-sale (PoS) malware was used to steal customer credit card data from 216 of its stores and franchisees between June 16, 2014 and September 5, 2014.
Specifically, the company says, the malware appears to have been installed on PoS devices at most of the affected stores on July 1, 2014, although some of the stores were impacted as early as June 16, 2014. The malware was removed from most of the stores between August 3 and August 5, 2014, although it wasn’t removed from some stores until later.
While Jimmy John’s says it “does not have sufficient information to contact potentially affected customers,” a list of all affected stores and dates of exposure can be viewed here.
The information potentially exposed includes card numbers, and in some cases, cardholder names, verification codes and/or expiration date.
“Jimmy John’s has taken steps to prevent this type of event from occurring in the future, including installing encrypted swipe machines, implementing system enhancements, and reviewing its policies and procedures for its third party vendors,” the company said in a statement.
Signature Systems, which provides the PoS systems for the affected Jimmy John’s locations, has acknowledged that in addition to the affected Jimmy John’s stores, 108 independent restaurant locations were also affected by the same breach. A full list of those independent restaurants, from DeNiro’s Pizza & Subs in Baltimore, Maryland to Wings To Go in Feasterville, Pennsylvania, can be viewed here.
“We have determined that an unauthorized person gained access to a user name and password that Signature Systems used to remotely access PoS systems,” Signature said in a statement. “The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants.”
Steve Hultquist, chief evangelist at RedSeal Networks, said by email that the breach serves as a reminder that there are many ways for cyber criminals to steal data. “In this case … login credentials from a vendor provided access to customers’ card information,” he said. “This is an example of both weak authentication and broad authorization: the credentials could be stolen without the awareness of the valid user, and once stolen, the thief had access to more information than the vendor should have been able to access.”
Investigative reporter Brian Krebs, who first broke the news of the breach several weeks ago, reports that Signature’s core product, PDQ POS, was not approved by the PCI Security Standards Council for new installations after October 28, 2013. “As a result, any Jimmy John’s stores and other affected restaurants that installed PDQ’s product after the Oct. 28, 2013 sunset date could be facing fines and other penalties from the PCI Council,” Krebs writes.
The U.S. Department of Homeland Security last month issued an advisory warning that more than 1,000 American businesses had already been impacted by the Backoff PoS malware, and that many victims were likely still unaware that they had been compromised.
“Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the Backoff malware,” the advisory stated. “Seven PoS system provider/vendors have confirmed that they have had multiple clients affected.”